Website Privacy Notice

NeuraLoop treats restraint with personal data as a matter of principle, not policy. This Notice states, plainly and exactly, what this website collects about you, why, on what lawful basis, how long it is held, and the rights you may exercise.

It is the current version of our Website Privacy Notice. The effective date and version are shown above; when we change the Notice we revise both and make material changes evident on this page (see Changes to this Notice).

We run no advertising networks, we do not sell or rent personal data, and we do not track you across the open web. The site is built to operate on the least personal data necessary.

This website is operated by NeuraLoop Surveillance Intelligence Private Limited (“NeuraLoop”, “we”, “us”), a company incorporated in India under the Companies Act, 2013, with Corporate Identity Number (CIN) U80100KA2024PTC189461, having its registered office in the State of Karnataka, India.

For the personal data this website collects, NeuraLoop is the Data Fiduciary under the DPDP Act and the controller under comparable laws. You can exercise your rights, and reach the person responsible for a given jurisdiction, through the routes set out in Your rights.

This Notice concerns the public website only. It explains how we handle the limited personal data the site itself collects when you visit it or contact us through it. For that data NeuraLoop acts as a Data Fiduciary / controller: we determine the purposes and means of processing.

It does not cover engagements conducted under contract, nor the data handled by any system we build, deploy, or operate for a client. Where we process personal data on a client’s behalf, we act as a Data Processor under that client’s instructions and separate terms; that framework is maintained independently and is not described here. Nothing in this Notice describes the capabilities, claims, or data handling of any NeuraLoop product or deployment.

We collect the following defined categories of personal data, from the three sources noted at the end of this section:

Inquiry Data

When you contact us through an inquiry form, you choose what to share — typically your name, your organisation, a role or title, a way to reach you, and the substance of your inquiry. The exact fields are visible to you at the point of submission. You decide how much detail to include.

Technical Data

When you load a page, our systems record a limited operational record: a pseudonymised form of your network (IP) address, produced by a one-way method re-salted daily so it cannot be used to follow you across days; a general classification of your browser and device; the pages requested; and the times of those requests. Where available, a coarse location (country, region, city) is derived from network information. We do not collect precise or device-level location.

Security Data

To keep the site available and resistant to abuse, we record typed security events — for example, a blocked malformed request or a rate-limit trip — together with the same pseudonymised network address rather than a raw one. Where activity against the site is confirmed to be hostile, a fuller forensic record (which may include the originating network address in unmodified form and a device fingerprint) is preserved as evidence. The measures that generate this data are described in Security and fraud-prevention processing.

Sources

We obtain personal data from three sources only: (i) directly from you, when you submit an inquiry or set a consent preference; (ii) automatically from your device and browser, as you interact with the site; and (iii) from our service providers acting as processors — for example, the hosting and availability-defence layer that serves the site — strictly in the course of delivering the site to you. We do not buy personal data, and we do not enrich it from data brokers.

We use personal data only for the purposes below, each tied to a lawful basis. Under the DPDP Act, processing of Inquiry Data rests on your consent given through this Notice; the bases in brackets are the corresponding grounds under the GDPR / UK GDPR and equivalent laws for visitors to whom they apply.

• To respond to your inquiry and correspond with you — on the basis of your consent (and our legitimate interest in conducting institutional correspondence). Inquiry contents are handled in confidence.
• To operate, maintain, and deliver the website — on the basis of our legitimate interest in providing a functioning site (and, where it applies, the necessity of processing to provide a service you request).
• To secure the website and prevent fraud and abuse — including the measures in Security and fraud-prevention processing — on the basis of our legitimate interest in the availability, integrity, and protection of the site and the people using it, and, where records are kept for potential disputes, the establishment, exercise, or defence of legal claims.
• To record and honour your consent and privacy choices — on the basis of our legal obligation to demonstrate lawful processing and to act on your rights.
• To comply with law — including retention or disclosure where a valid legal instrument requires it — on the basis of our legal obligation.

Inquiry Data and Technical Data are kept functionally separate. We do not build visitor profiles, and we do not merge these records to identify individuals beyond what a specific security investigation or a verified rights request requires.

Because this site presents a public surface to an adversarial internet, we run a small set of strictly-necessary security measures. We describe them here honestly — each with its lawful basis, retention, the carve-out that protects evidence, and your route to a human review — so that you know they exist and what they do.

• A behavioural security sentinel. A first-party script observes coarse interaction signals — pointer movement, scroll behaviour, and the rhythm (not the content) of keystrokes — to distinguish a human visitor from an automated one. It is used to detect abuse, not to identify you and not to record what you type, and it feeds no advertising or profiling system. Basis: legitimate interest in protecting the site.
• A security cookie (“nl_sca”). A strictly-necessary first-party cookie that carries the sentinel’s assessment so the protection works across the pages you visit. It is not used for analytics, advertising, or cross-site tracking. Basis: legitimate interest; it is essential to the security function and is exempt from consent.
• A device fingerprint for fraud prevention. Where a visit is assessed as automated or hostile, we derive a technical signature from your browser and device (for example, canvas and graphics-rendering output, the GPU model, screen and hardware properties, and locale/time-zone) to recognise repeat abuse from the same source. For ordinary visitors this signal is transient and is not retained; it is preserved only as part of the evidence of confirmed hostile activity. Basis: legitimate interest in fraud and abuse prevention, and the establishment, exercise, or defence of legal claims for any retained evidence.
• Automated rate-limiting and temporary blocking. When a source exceeds safe request thresholds or trips an abuse rule, the site may slow, challenge, or temporarily block it. These are security tripwires that protect availability. Basis: legitimate interest in the integrity and availability of the site.
• Forensic capture of confirmed-hostile activity. Where activity is confirmed to be hostile, a tamper-evident forensic record — which may include the unmodified network address, the device fingerprint, and the technical signature of the attack — is preserved as evidence. A hostile actor cannot erase the record of their own attack. Basis: the establishment, exercise, or defence of legal claims.

Retention. Routine Security Data is retained for about 90 days and then deleted or anonymised. Forensic evidence of confirmed-hostile activity is retained for up to the applicable limitation period for legal claims (a horizon of approximately 1,095 days), and then sealed and archived or pruned in line with that purpose.

Erasure carve-out. The forensic evidence record and the tamper-evident handling log are exempt from erasure on request, where retention is permitted or required for the establishment, exercise, or defence of legal claims — under the legal-claims carve-out of the GDPR (Article 17(3)(e)), the corresponding legal-purpose basis under the DPDP Act, and the security and legal-claims exceptions under the CCPA.

Human review and no automated decisions. These measures are reviewed by a person, not left to run unaccountably. A temporary block or restriction is a security tripwire, not a decision about you of the kind that produces a legal or similarly significant effect; we make no such decision about you by solely automated means, and any consequential decision involving a person is reviewed by a person. If you believe a block, challenge, or restriction has affected you unfairly, you may ask us to review it through the route in Your rights, and a person will consider the matter and respond. For sound security reasons we do not publish the specific tools, parameters, or architecture of these defences; we describe their effect, and hold the detail in confidence.

We hold personal data under technical and organisational safeguards designed to prevent loss, misuse, and unauthorised access. If a notifiable personal data breach nonetheless occurs, we act on it promptly and transparently.

Notification to the regulator. Where a breach is notifiable, we notify the Data Protection Board of India without undue delay, and follow with a detailed report within 72 hours of becoming aware of it, in the manner and form required by the notified Digital Personal Data Protection Rules, 2025 (Rule 7).

Notification to you. Where the breach is likely to affect you, we inform you in plain language — describing the nature of the breach, its likely consequences, the measures we have taken or propose to take to mitigate it, and a point of contact from whom you can obtain further information.

EEA and UK visitors. If you are in the European Economic Area or the United Kingdom, the equivalent obligations under Articles 33 and 34 of the GDPR / UK GDPR apply: notification to the competent supervisory authority without undue delay (and, where feasible, within 72 hours), and communication to you without undue delay where the breach is likely to result in a high risk to your rights and freedoms.

We do not sell personal data. We do not rent or trade it, and we do not share it for any third party’s own purposes or for cross-context behavioural advertising.

A small number of specialist providers act strictly as our processors — for example, email delivery and hosting / availability-defence services. They act only on our written instructions, are bound to confidentiality, may not use personal data for their own ends, and are engaged under a data-processing agreement.

We disclose personal data to authorities only where compelled by a valid legal instrument, and we will challenge any demand that is overbroad or unlawful.

Personal data collected through this website is processed on infrastructure operated for NeuraLoop in India. If you are outside India, your personal data is transferred to, and processed in, India.

Where a transfer to India is subject to additional safeguards under a law that applies to you, we rely on the recognised protective mechanisms under that law — including the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum, as applicable) — together with supplementary technical and organisational measures. The specific rights and disclosures that apply to your transfer are set out in the jurisdiction blocks under Your rights.

We keep personal data only for as long as it is needed for the purpose it was collected for, applying the following criteria:

• Inquiry Data is retained for up to 24 months of inactivity, after which the personal details are irreversibly minimised; a minimal, non-identifying record may be kept for audit integrity.
• Technical Data and routine Security Data are retained for about 90 days, then deleted or anonymised. A jurisdiction may shorten — never lengthen — this window.
• Consent and rights-request records are retained for the applicable limitation period to evidence lawful handling, then pruned.
• Forensic evidence of confirmed-hostile activity, and the tamper-evident handling log, are retained for the limitation period for legal claims (a horizon of approximately 1,095 days) for that purpose only, and are subject to the erasure carve-out described in Security and fraud-prevention processing.

The site uses a minimal set of cookies and equivalent storage, grouped as essential (always on, including the “nl_sca” security cookie), functional / preference (off by default), and performance / analytics (off by default, first-party only, no third-party trackers and no cross-site tracking). Non-essential storage is enabled only with your consent, you may change or withdraw your choices at any time through the on-site consent control, and your browser’s Global Privacy Control (GPC) signal is honoured as a binding opt-out. For the full, itemised list of cookies, their purpose, and their lifetime, see our Cookie Policy.

Whatever your location, and in respect of the personal data this website holds about you, you may ask us to:

• access the personal data we hold about you;
• correct data that is inaccurate or incomplete;
• erase data, except where we are required or permitted to retain it — for example, a legal obligation, or the forensic evidence and handling log held for the defence of legal claims (see Security and fraud-prevention processing).

To exercise any of these, use the privacy-request form at /privacy/request. We verify requests before acting and respond within the timeframe set by the law that applies to you. If an automated security control has restricted your access, you may use the same form to ask a person to review it.

Honest limits on access and erasure. Your inquiry exists in two forms, protected differently. The copy delivered to us by email is sealed to a key held offline, so the services that transmit it cannot read its contents. The operational copy we retain to handle your inquiry is encrypted at rest under our own control and is accessed only where necessary for that purpose; an access export will confirm that such contents exist and are held encrypted rather than reproduce them in full. Separately, the forensic evidence of confirmed-hostile activity and the tamper-evident handling log are retained on a legal-claims basis and are exempt from erasure, as permitted under applicable data-protection law.

The law that applies to you may grant further rights and a route to a supervisory authority. Those additional rights, and the contact for each jurisdiction, are set out below. Every jurisdiction’s block is shown; select your region to bring it to the top.

This website is an institutional resource. It is not directed to children, has no sign-up, and collects no age information, so the conditions that would require verifiable parental consent are not triggered. As a reference baseline we treat 18 as the age of a child for these purposes, in line with the DPDP Act (with stricter local thresholds applied where they are lower). We do not knowingly collect personal data from minors; if you believe a minor has provided personal data, use the form at /privacy/request and we will remove it.

We will update this Notice as our practices or the law evolve, and will revise the effective date and version above. Material changes will be made evident on this page.